JLSEC-2025-3
- Source
- https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2025/JLSEC-2025-3.md
- Import Source
- https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-3.json
- JSON Data
- https://api.osv.dev/v1/vulns/JLSEC-2025-3
- Aliases
-
- CVE-2025-50178
- GHSA-g2xx-229f-3qjm
- Published
- 2025-10-08T17:41:37.190Z
- Modified
- 2025-11-06T22:57:35.007046Z
- Summary
- Lack of validation for user-provided fields in GitForge.jl
- Details
-
Description
There is a lack of input validation for user-provided values in certain functions.
In the
GitForge.get_repo()function for GitHub, the user can provide any string for theownerandrepo fields. These inputs are not validated or safely encoded and are sent directly to the server.Impact
This means a user can add path traversal patterns like
../in the input to access any other endpoints onapi.github.comthat were not intended.Patches
Users should upgrade immediately to v0.4.3. All prior versions are vulnerable.
Workarounds
None
References
Fixed by: https://github.com/JuliaWeb/GitForge.jl/pull/50 (which is available in v0.4.3).
Credits
Thanks to splitline from the DEVCORE Research Team for reporting this issue.
- Database specific
{ "license": "CC-BY-4.0", "sources": [ { "published": "2025-06-24T23:01:20Z", "url": "https://api.github.com/repos/JuliaWeb/GitForge.jl/security-advisories/GHSA-g2xx-229f-3qjm", "modified": "2025-06-24T23:01:20Z", "html_url": "https://github.com/JuliaWeb/GitForge.jl/security/advisories/GHSA-g2xx-229f-3qjm", "id": "GHSA-g2xx-229f-3qjm", "imported": "2025-10-07T02:52:16.795Z" } ] }- References
-